[asterisk-bugs] [Asterisk 0014060]: [patch] Astrerisk crashes using the app_queue.c transfer datastores
Asterisk Bug Tracker
noreply at bugs.digium.com
Thu Dec 11 10:18:05 CST 2008
A NOTE has been added to this issue.
======================================================================
http://bugs.digium.com/view.php?id=14060
======================================================================
Reported By: nivek
Assigned To: putnopvut
======================================================================
Project: Asterisk
Issue ID: 14060
Category: Applications/app_queue
Reproducibility: random
Severity: crash
Priority: normal
Status: assigned
Asterisk Version: 1.4.22
SVN Branch (only for SVN checkouts, not tarball releases): 1.4
SVN Revision (number only!): 162994
Disclaimer on File?: N/A
Request Review:
======================================================================
Date Submitted: 2008-12-11 07:33 CST
Last Modified: 2008-12-11 10:18 CST
======================================================================
Summary: [patch] Astrerisk crashes using the app_queue.c
transfer datastores
Description:
When Asterisk crashes and we analyze the dump, Asterisk always crashes in
main/channel.c at line 3562 of 1.4 SVN which states in the dump trace:
if (ds->info->chan_fixup)
After a lot of debugging statements, we have found that right after the
return from queue_transfer_fixup() it crashes on the above statement.
Variable ds seems to have a value but ds->info and ds->info->chan_fixup
comeback as undefined.
Looking at the code, we believe (Marquis and I are colleagues) the
ast_channel_datastore_free in the queue_transfer_fixup is causing the
grief.
If I understand the code flow correctly, the ast_channel_datastore_remove
unlinks the datastore from the linked list but the datastore still retains
its values to point to the next data structure in the linked list. The
ast_channel_datastore_free, of course, adds the datastore allocated memory
back into the heap for it to be allocated again. We believe that the
memory added back to the heap gets reallocated to another process and
causes the crash.
This crash is very random. I has happened once a day for three days then
not again for a week. If happened within 15 minutes of each other on one
day. Sometimes it took a week or so to happen.
I have included a patch to 1.4-SVN that we have used for a little over a
month now without a crash (knock on wood). The patch also includes a
change to the time parameter passing and calculations that were using 'int'
instead of 'long'. We elected to use 'time_t' in case 'time_t' ever
changed it could be more portable. This is your call on that.
======================================================================
----------------------------------------------------------------------
(0096205) putnopvut (administrator) - 2008-12-11 10:18
http://bugs.digium.com/view.php?id=14060#c96205
----------------------------------------------------------------------
The patch certainly looks good by my eyes with one small exception. The
final call to ast_channel_datastore_free should first make sure that
transfer_ds is non-NULL. That's a trivial thing to add, though, so I'll
just do it when I commit the patch.
Thank you very much for ... well for pretty much everything in this
report: the time taken to find the problem, the good patch which follows
coding guidelines, and the time taken to test it. I will get this committed
shortly.
Issue History
Date Modified Username Field Change
======================================================================
2008-12-11 10:18 putnopvut Note Added: 0096205
======================================================================
More information about the asterisk-bugs
mailing list